This post is a continuation of the first part of Advanced IPSEC topic. This post’s topic is HUB and SPOKE topology in SRX devices. I will use the following topology for this post;

Because I have only two srx210 deviceS, I am using a linux box as the second spoke instead of an srx in my hub and spoke ipsec vpn setup. I will also attach my linux setup as a reference.

Lets configure hub srx1(The entire configuration of devices will be provided at the end of the post, to see how security policies are configured along with all supplementary configuration, you should take a look at the entire configuration as I only add ipsec related config here)

Hub and spoke vpn setup is almost similar to site-to-site but for the hub device extra configuration is needed. For example 10.11.11.2 is the srx2 device’s st0.0 interface and for junos-to-junos devices next-hop-tunnel under st0.0 interface isn’t necessary but for non-junos devices we should add them (this is what I know). Once this is in place you should route the remote protected network into this next-hop-tunnel address. This can be seen in “show routing-options” command. Don’t also forget to configure the multipoint option.

I want to note something here for linux side config which is somewhat different than srx. We route protected network 172.16.100.0/24 directly to 10.3.3.1 gateway. We don’t use any secure tunnel IP or something else. All is handled by the security policies registered in the kernel. In SRX config it seems linux tunnel address is 10.11.11.3 but this address is never configured in linux side. It isn’t needed. It has local significance in SRX. Let’s see these policies;

We can see the same SPI in linux SAD as well and the lines I marked as RED are the encryption keys. When I noticed that they are encryption keys, I was shocked! you can decrypt ipsec traffic by using these keys.

I have actually tested this setup and prepared this post. If you see any error, please don’t hesitate to contribute:)

Related

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer.
// JNCIE-SEC #223 / RHCE / PCNSE